Contents x
    How to Configure SSL Protocols
      • Dark
        Light
      Contents

      How to Configure SSL Protocols

        • Dark
          Light
        Article Summary

        Overview

        This topic describes how to disable specific SSL protocols, such as TLS1 and/or TLS1.1, on Tomcat 10.

        Configuration of supported SSL protocols can be managed via updates to a specific configuration file on the Matillion ETL instance. The configuration updates are based on Tomcat’s SSL configuration settings documented here.

        Note
        • The file that needs to be edited is /etc/tomcat/server.xml.
        • The properties mentioned are case-sensitive. Default server.xml files have this property defined, which isn't the same as below because of case sensitivity: sslProtcol="TLS".
        • Tomcat needs to be restarted after making changes to the server.xml file.

        For these instructions, a default Matillion ETL configuration is assumed. An example of a default Matillion ETL configuration looks like the block below:

        <?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" readonly="false" type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
<SSLHostConfig>
<Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key"/>
</SSLHostConfig>
</Connector>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm">
<CredentialHandler algorithm="SHA-512" className="org.apache.catalina.realm.MessageDigestCredentialHandler"/>
</Realm>
</Realm>
<Host appBase="webapps" autoDeploy="false" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>
        1. To allow only the TLSv1.2 protocol, update the configuration file at: /etc/tomcat/server.xml:
        2. Replace <SSLHostConfig> with <SSLHostConfig protocols="TLSv1.2">.
        3. Save the change and then restart Tomcat.

        To restart from an SSH session:

        1. Run sudo service tomcat stop.
        2. Then run sudo service tomcat start.

        To restart from the Matillion ETL UI:

        1. Click AdminRestart Server
        2. Click Yes.

        Confirm disabled protocols

        To confirm that TLS 1 has been disabled, run the following command:

        openssl s_client -connect localhost:8443 -tls1

        To confirm that TLS 1.1 has been disabled, run the following command:

        openssl s_client -connect localhost:8443 -tls1_1

        Both commands should return outputs of this kind:

        [centos@ip-172-31-32-213 ~]$ openssl s_client -connect localhost:8443 -tls1_1
CONNECTED(00000003)
140677227890576:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70
140677227890576:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.1
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1610388404
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---

        Validate that TLS 1.2 is still enabled

        To validate that TLS 1.2 remains enabled, run the following command:

        openssl s_client -connect localhost:8443 -tls1_2

        The output of this command should return an SSL certificate, and look like this:

        CONNECTED(00000003)
depth=0 C = GB
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB
verify error:num=10:certificate has expired
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
depth=0 C = GB
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
---
Certificate chain
0 s:/C=GB
i:/C=GB
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAdWgAwIBAgIJAMsPhhsmv/jdMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAkdCMB4XDTIwMDUwOTE0MjcxOVoXDTIwMDYwODE0MjcxOVowDTELMAkGA1UE
BhMCR0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkDA80QKNRRGW
yc7KJuOuq96j7LtJFcHFPDqU0F4gUAoHaim39YtqCQSWXwd4eCBFVv9v3UWX+cS0
dFOe8AT0eeAzeAxfzE1LC3yT2H+3ALq55/CLSQxIPrQ9U+uPY9+p/duJ7IF6bJJM
DXGZ1ua0u4UbNc1EB9pkN6jO/iCAvB2CLQC6Gyi6+8yCFzZ14HJmHtaEbYpey0BA
3cm2y4FQCU3AqfVJk0k4E21Go1y8Dj59gr/dsk2A3KQXB3SdKgVZyc6r4GctQavV
Do4SfXAAHvkHFXVBOQtNvukb+SNf+0XoRytVkzDoTZ6+lkmvVvryVQOrRT3gu5R/
X7dh4iJ/AgMBAAGjUDBOMB0GA1UdDgQWBBRyiAZrwV50C6AxabY6e55QIS1i6jAf
BgNVHSMEGDAWgBRyiAZrwV50C6AxabY6e55QIS1i6jAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQCdrlJbeDgmjpKaexXGU6tn2xQjtyz4xQGmHkcwjLzp
cW3Ixo+DwKKQaHDRhqyrKXGEU7Vbe1rXfX6ouF5z5vutLri4N0WHhZ12O8WI3SqX
kfQhIs+F8vY0a6Ua+aiiymXa05NA9P8xu5rO1R48xDvJ+lTGODYUGBQxLcr7eZ2M
UVFtPabu8b4h9UjcnxffU7MMS5Xu1Ag16aWw3CtEi/JOtkRvJr1RQ+wrn2uWJ/tv
VaNmNZ3J+HktX+IrRsTYcQiHu/JJ0A3m3TL1HB7jZVQ4BO54iXHhvZdAuXqCfhuL
f9YOWQ5g+H6ECOdwCvu+q1aGEV+yRzch1YA2Vah/2yJQ
-----END CERTIFICATE-----
subject=/C=GB
issuer=/C=GB
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1428 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8F50EEEAF9F8C0F4FF8F09FF20A3850FDAC04B9EE6FD3C18896E666022E200FE
Session-ID-ctx: 
Master-Key: 59B6EB386A6A5CB4BA533DE73BEE8A1AE21056F50C67392ACD83EEFCD920B39F295B4D40E00148B5271AB31DA46BECD9
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 96 2b 0d ce 60 78 29 a0-1e fd f0 d0 38 2a ef f4   .+..`x).....8*..
0010 - 62 ea ec 77 98 bf 2e 87-f8 aa bc ce 74 1f 12 47   b..w........t..G
0020 - ab b4 47 c4 3f 44 f5 07-76 2d 15 b9 14 a0 9f 52   ..G.?D..v-.....R
0030 - 39 b8 f0 d3 64 3a 66 d4-01 68 df b4 de b2 97 97   9...d:f..h......
0040 - a7 a5 f5 59 1f df 0b a4-2b ad 90 d7 15 67 c9 ba   ...Y....+....g..
0050 - ae 52 89 a9 24 dc a6 01-3c 44 dd 12 a5 02 79 1d   .R..$...<D....y.
0060 - d1 a9 12 88 f9 61 e4 bc-22 4c 6f 2d 1a 86 ce b8   .....a.."Lo-....
0070 - bb 34 56 65 34 3b e8 5e-7d 49 60 05 a6 45 92 30   .4Ve4;.^}I`..E.0
0080 - dc ca a1 0e 0c 94 a5 3d-bb 1a 83 cf ac 3f 89 83   .......=.....?..
0090 - 49 80 b8 3b 4e 77 f4 a4-7e 13 82 f4 e0 d9 9f c9   I..;Nw..~.......
00a0 - 3b 64 b1 a4 ec dc de e5-aa 7b 70 df 75 03 c4 4d   ;d.......{p.u..M
Start Time: 1610388589
Verify return code: 10 (certificate has expired)
---

        For more information, read the Apache Tomcat 10 documentation.

        Versions older than 1.69 of Matillion ETL

        If you're using a version before 1.69—likely running Tomcat 8 rather than Tomcat 10—see the below instructions.

        Tomcat uses two different implementations of SSL:

        • The JSSE implementation that's provided as part of the Java runtime (since 1.4).
        • The APR implementation, which uses the OpenSSL engine by default.

        Configuration details depend on the implementation being used.

        Note
        • The file that needs to be edited is /etc/tomcat/server.xml.
        • The properties mentioned are case-sensitive. Default server.xml files have this property defined, which isn't the same as below because of case sensitivity: sslProtcol="TLS".
        • Tomcat needs to be restarted after making changes to the sever.xml file.

        For these instructions, the APR implementation is required. Make sure the SSLEngine attribute is set to a value other than off. The default value is on. If you wish to specify another value, that value must be a valid engine name.

        An example of APR configuration looks like the block below.

        <Connector SSLCertificateFile="${catalina.base}/conf/localhost.crt" SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" SSLEnabled="true" clientAuth="false" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" SSLProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" />

        Contact support

        If you require additional assistance disabling or enabling SSL protocols, read Getting Support.

        What's Next